Digital Identity Systems

Authors: Jordan Vallejo and the Transformation Management Institute™ Research Group

Status: IFS-3 | December 2025

Scope and boundary

This paper is descriptive and diagnostic rather than prescriptive. It does not provide legal advice, compliance guidance, security implementation instructions, or product recommendations. It analyzes digital identity as an interpretation system: how institutions and platforms stabilize identity decisions when the subject is not directly checkable, evidence arrives through mediated channels, and error costs vary by context.

Abstract

Digital identity is an interpretive environment where the reference condition is distributed across artifacts, devices, platforms, and institutions rather than directly observable. A person is not available as a continuously checkable object inside the interaction. Instead, systems coordinate access and accountability through identity claims, credentials, authenticators, and provenance signals that must be evaluated under constraint.

Contemporary generative AI intensifies this constraint by lowering the cost of high-realism impersonation, including face morphing, voice cloning, and document fabrication. This increases false-acceptance risk while also increasing denial plausibility, because contested events can be explained as either fraud or fabrication with higher apparent credibility.

IFS-3 treats digital identity as an interpretation system and introduces the Identity Binding Event (IBEv) as the unit of analysis. An IBEv is a complete interpretive cycle spanning: (1) a target identity reference condition, (2) encoding into identity artifacts and signals, (3) verifier decoding and credibility assignment, (4) response protocol selection, and (5) closure outcomes that determine whether identity is stabilized for the interaction or remains contested.

The study maps IBEv dynamics onto the MSS variable set: truth fidelity (T), signal alignment (P), structural coherence (C), drift (D), and affective regulation (A). It identifies recurring failure signatures and measurement candidates suitable for field observation in consumer platforms, workplaces, finance, government services, and online social environments.

1. Introduction

Digital identity is often treated as a technical problem of authentication, but the deeper phenomenon is interpretive: deciding whether to treat an actor as the same subject across time, contexts, and systems, and whether to grant access, authority, or credibility based on that decision.

In physical settings, identity can be stabilized through continuous presence, trusted capture, or direct social memory. In digital settings, the subject is mediated. The system operates through artifacts, signals, and institutional records, each of which is partial, forgeable, and unevenly legible to participants. Digital identity therefore functions as a recurring loop of encoding, decoding, credibility assignment, protocol routing, and closure.

Recent doctrine such as NIST’s Digital Identity Guidelines emphasizes that identity assurance is context bound: evidence thresholds and controls should match the consequence of error and the risk environment. In IFS-3 terms, this is a formal recognition that identity systems do not promise universal truth. They promise a bounded reference under declared requirements.

This paper contributes:

• IBEv as a unit of analysis for digital identity.

• A protocol-level map of identity decisions, including credibility operations, authority routing, and dispute pathways.

• A closure model that treats verification, dispute adjudication, and audit records as event outputs rather than optional after-work.

• A measurement candidate set suitable for field observation using existing identity artifacts and operational logs.

2. Research foundations from identity and mediated trust practice

IFS-3 is not a full literature review. The goal is to establish stable lineage for the operators that appear in an IBEv: proofing, binding, claim transport, evidentiary thresholds, capture integrity, and dispute closure. Digital identity is unusually rich in explicit standards and doctrine, and those standards often encode interpretive logic in technical form.

NIST’s Digital Identity Guidelines (SP 800-63, Revision 4) formalize identity proofing, authentication, and federation in terms of assurance targets and risk management. The core relevance to IFS-3 is that the system’s promise is explicitly bounded: controls are selected to achieve a declared confidence level for a declared purpose, rather than to establish an absolute claim about personhood.

Authentication is often colloquially framed as knowing who someone is, but operationally it is a binding decision: whether current signals are sufficiently linked to a previously enrolled subject under the system’s rules. This binding view makes room for lifecycle realities such as device loss, credential compromise, account recovery, and revocation, all of which alter effective evidence thresholds.

Federation architectures separate issuers, identity providers, verifiers, and relying parties, and then transport claims across boundaries. This introduces synchronization costs: different parties may weight evidence differently, interpret attributes differently, or apply different exception policies.

Standards (for example OpenID Connect and OAuth frameworks) act as signal alignment (P) stabilizers by enforcing shared formats and flows, but they do not guarantee coherent authority routing, coherent dispute handling, or coherent cost allocation when an assertion fails.

Biometric systems introduce a capture layer that can fail independently of matching accuracy. Presentation attack detection doctrine (for example ISO/IEC 30107-3) formalizes the idea that systems must separate capture integrity from recognition performance. Morphing and synthetic media techniques stress this distinction by producing artifacts that can pass naive capture assumptions.

Provenance initiatives and synthetic content transparency guidance increasingly treat media authenticity, integrity, and provenance as a technical domain rather than a purely social judgment. Digital identity workflows frequently treat images, video, audio, and documents as evidence. When provenance is weak, identity disputes become harder to close, and denial plausibility increases.

3. Domain boundary and system object

3.1 System object

A digital identity system is the bounded interpretive environment in which identity claims are presented and evaluated, evidence and signals are checked for integrity, binding, and freshness, access or authority decisions are routed through declared protocols, and the event is closed into an updated identity state, including dispute and audit outcomes.

3.2 Membership condition

An actor is in the identity system when participating in any of the following roles (human or machine mediated):

• Subject (the entity identity is about)

• Claimant (the entity presenting identity signals)

• Issuer (the authority issuing an identity credential or attribute claim)

• Verifier (the entity validating identity signals)

• Relying party (the entity granting access or authority based on verifier output)

• Identity provider or federation service (mediating assertions across services)

• Device and authenticator layer (keys, biometrics, passkeys)

• Platform and logging layer (policy, audit, dispute handling)

3.3 Interfaces treated in this field study

IFS-3 treats these as interfaces with distinct evidence thresholds, failure costs, and closure burdens:

• Consumer platforms and marketplaces

• Workplaces and internal access systems

• Financial services and regulated transactions

• Government services and civic identity interactions

• Online social environments where identity functions as credibility or reputation

4. The domain truth promise and evidence thresholds

4.1 The truth promise in digital identity

In MSS terms, a digital identity system’s truth promise is a promised reference.

When the system treats an actor as Subject S, the system is asserting that the presented signals are sufficiently bound to S, under declared requirements, for the purpose and risk context of the interaction.

This promise is not “the person is real.” It is a bounded binding claim: a declared sufficiency condition that supports a decision.

Operator: binding sufficiency under declared risk.

4.2 Evidence thresholds are context bound

Digital identity is not one threshold. Evidence thresholds vary by:

• consequence of error (money movement, safety, reputation, access to services)

• reversibility (whether the action can be unwound)

• attacker incentives and capability

• channel constraints (in person, remote, asynchronous)

• dispute burden (how closure is adjudicated, and by whom)

This is why modern guidance emphasizes selecting assurance targets and aligning controls accordingly, rather than treating identity as a single universal check.

5. Unit of analysis: Identity Binding Event (IBEv)

5.1 Canonical definition

An Identity Binding Event (IBEv) is a complete interpretive cycle in which an identity claim is presented, evaluated, routed into an authorization response, and closed into an updated identity state.

An IBEv is complete when the system either (a) stabilizes identity for a declared purpose and window, or (b) records contested status and routes the event into a dispute or investigation pathway.

5.2 IBEv phases

Phase 1. Reference condition

A target subject and relevant attributes exist as the intended reference. In many digital contexts, the reference is partly institutional and partly technical: records, prior bindings, device possession, and prior closure states.

Phase 2. Encoding into signals

The claimant renders identity into signals such as documents, selfies, video checks, biometrics, liveness signals, cryptographic authenticators and passkeys, tokens and claims via federation flows, and provenance metadata where relevant.

Phase 3. Decoding and credibility assignment

The verifier evaluates signals against requirements, checks integrity, binding, freshness, and provenance where available, and assigns a credibility outcome (sufficient, insufficient, suspicious, ambiguous).

Phase 4. Response protocol selection

The relying party selects a response protocol (grant, deny, step-up, re-proof, freeze, dispute, investigate).

Phase 5. Closure outcome

The system either closes the event (identity stabilized for the purpose of the session or transaction) or leaves it open (contested identity, residual suspicion, repeated re-verification). Closure quality sets the next event’s starting conditions.

5.3 IBEv boundaries

An IBEv begins when an identity claim is treated as decision relevant and triggers evaluation. It ends when a closure operator occurs (Section 9) or when the system enters an explicit contested state that drives recurrence (re-verification, recovery, investigation).

5.4 IBEv typology (minimal)

• Low-consequence access vs high-consequence transaction events

• First-time proofing vs routine authentication vs recovery events

• Single-system events vs federated events crossing organizational boundaries

• Human-reviewed events vs automated-only events

• Regulated vs non-regulated interface events

6. Signal ecology: credentials, devices, media, and provenance

6.1 Signal channels in digital identity

Common identity signals include:

• Credential artifacts (documents, account records, verified attributes)

• Possession signals (device binding, cryptographic keys, passkeys, tokens)

• Inherence signals (biometrics, liveness and capture-layer indicators)

• Behavioral and contextual signals (risk scoring, velocity, transaction context)

• Social and reputation signals (platform trust marks, account history)

• Provenance signals for media artifacts (integrity metadata, origin assertions, audit trails)

6.2 Partial observability is structural, not accidental

The subject cannot be continuously checked inside a mediated interaction. A stable subject can produce unstable signals (device loss, travel, network changes), and an attacker can produce stable-looking signals. This makes identity inherently dependent on evidence thresholds, cross-corroboration, and closure gates rather than on any single proof.

6.3 Narrative substitution in disputes

When signals are ambiguous, participants substitute narratives about what usually happens or what fraud looks like. The most consequential narrative substitutions occur in recovery and dispute pathways, where exception handling often becomes the attacker’s chosen route.

7. Response protocol families

7.1 Protocol definition

A response protocol is the relying party’s coordinated selection of action class, evidence threshold adjustment, and authority routing based on the decoded identity claim and the risk context.

7.2 Protocol families (minimal)

• Grant protocol: accept binding and grant access or transaction authority

• Deny protocol: reject binding and refuse access

• Step-up protocol: require stronger authenticators, additional factors, or trusted capture

• Re-proof protocol: repeat enrollment or identity proofing steps

• Freeze or containment protocol: pause activity, lock account, or restrict capabilities pending review

• Dispute and investigation protocol: route to human adjudication, fraud operations, or formal dispute resolution

7.3 Protocol mismatch patterns

• Strong primary authentication with weak recovery and exception pathways

• Federated access decisions made on attributes the relying party cannot interpret consistently

• Helpdesk overrides that bypass formal assurance targets under throughput pressure

• Risk-avoidant denials that stabilize the platform while externalizing harm to legitimate users

Operator: exception paths as alternate identity systems.

8. Modern AI pressure on identity systems

8.1 Impersonation realism and scaling

Public sector and financial reporting describe increased fraud attempts using synthetic media, including altered identity documents and synthetic audio or video used to pass checks or to induce humans to bypass controls. Generative AI lowers the cost of plausible language, high-quality artifact fabrication, and voice impersonation, which increases the baseline adversary capability assumed by identity systems.

8.2 Biometric-specific attack surfaces

Face morphing is a binding attack where one artifact can match multiple subjects. Operational risk increases when workflows accept user-submitted photos without trusted capture constraints. Guidance on morph detection emphasizes operational implementation and investigation workflows rather than detector accuracy alone.

8.3 Synthetic content risk is now an identity risk

Synthetic content guidance increasingly treats provenance, labeling, detection, and auditing as part of a risk reduction landscape. In identity terms, synthetic media reduces the default evidentiary status of images, video, and audio unless capture constraints and provenance are explicit.

8.4 The denial channel

As synthetic media awareness rises, “it is fake” becomes a usable claim in disputes. This shifts closure dynamics because contested events remain open longer and require stronger provenance, cross-corroboration, or institutional authority to resolve. Denial plausibility therefore increases closure burden and can raise drift if systems cannot scale adjudication quality.

9. Closure, disputes, recurrence, and drift

9.1 Closure definition

Closure is the event-level outcome in which the system records a decision consistent with its declared evidence threshold, the relying party’s action is executed (grant, deny, step-up, freeze), the identity state is updated for the declared purpose and time window, and any contestation is routed into a legible dispute or investigation pathway.

Closure does not require perfect certainty. It requires a decision record, an executed protocol, and a stable next state that reduces immediate recurrence.

9.2 Closure operators

• Successful authentication bound to a session and recorded with sufficient auditability

• Explicit denial with stated reason category and a next-step pathway

• Step-up completion (or failure) recorded as a state transition rather than silent friction

• Recovery completed with documented evidence threshold and revocation of compromised bindings

• Dispute adjudication outcome recorded, including whether the system treats identity as stabilized, contested, or compromised

9.3 Non-closure loops

Non-closure occurs when identity remains contested without a stable pathway to resolution. Common non-closure loops include repeated step-ups without successful completion, repeated recovery attempts, unresolved fraud investigations, and disputes where neither side can supply evidence that the system recognizes as decisive.

Non-closure increases recurrence probability and alters user behavior: workarounds, channel switching, abandonment, or escalation to external authorities. These behaviors are system responses to unstable closure architecture.

Operator: closure stability sets the next-state conditions for subsequent events.

9.4 Drift as a rate across repeated IBEv sequences

Within MSS, drift (D) is the rate at which misalignment accumulates when truth fidelity, signal alignment, or structural coherence cannot keep pace with system demands. In digital identity, drift appears as:

• increasing mismatch between real-world identity and account state

• normalization of manual overrides and exception pathways

• dispute volume growth and re-open cycles

• increasing reliance on weak signals because strong signals are costly

• rising denial plausibility as “fake” becomes a usable claim in adjudication

Drift is visible when binding decisions become less stable across time even if individual checks appear to work in isolation.

10. Structural distortion layers and unequal closure

False accepts and false rejects are not symmetric harms. Raising thresholds reduces fraud risk but increases legitimate lockouts. Unequal closure is therefore a measurable system output, not a side effect.

Distortion layers are not limited to prejudice. They include access to devices, stable connectivity, documentation availability, name and address stability, and institutional history. These factors shape what evidence a subject can produce and what a verifier will accept.

10.1 Discrimination and documentation burden

When systems require documentation that some populations are less likely to possess or can less easily replace, the identity system becomes a gate on civic and economic participation. In IBEv terms, this appears as an evidence threshold mismatch that routes legitimate subjects into repeated step-ups, denials, or recovery loops.

10.2 Device dependence and the digital divide

Strong binding often relies on devices (secure elements, passkeys, SIM-bound numbers) and stable access. Subjects without stable device access, stable phone numbers, or stable connectivity experience higher friction and higher non-closure rates. This is a structural driver of unequal closure probability independent of intent.

10.3 Name, address, and life-change mismatch

Life events such as relocation, marriage, divorce, immigration, or housing insecurity create attribute mismatches that can produce cascading verification failures. Systems that treat attribute mismatch as suspicion without providing coherent correction pathways increase drift and raise the probability of identity state divergence from the subject’s real situation.

10.4 Security theater and harm externalization

Some controls increase friction without meaningfully increasing binding confidence. These controls can create a false sense of assurance while shifting costs onto legitimate users. In MSS terms, this is often a signal alignment (P) or structural coherence (C) problem: signals look security-like but do not improve truth fidelity relative to the promised reference.

11. MSS variable mapping for IBEv

11.1 Truth Fidelity (T)

Truth fidelity is the degree to which identity outputs remain constrained by the system’s promised reference condition. In digital identity, T is primarily a binding property: whether presented signals remain plausibly anchored to the correct subject under the declared assurance target and constraints.

Candidate observables: post-grant fraud discovery rate, binding compromise rate, and evidence-strength distribution in high-consequence flows.

11.2 Signal Alignment (P)

Signal alignment is the degree to which identity signals remain interpretable and interoperable across participants. In identity, P includes claim formats, protocol compatibility, attribute semantics, authority weighting, and provenance readability.

Candidate observables: federation attribute mismatch rate, token and claim validation error rate, provenance readability rate for submitted media, and cross-party disagreement frequency on what evidence counts.

11.3 Structural Coherence (C)

Structural coherence is the consistency of identity rules across the lifecycle: issuance, proofing, authentication, recovery, revocation, audit, dispute resolution, and exception handling.

Candidate observables: recovery-to-login rule divergence, manual override rate, exception-path usage rate, and coherence of evidence thresholds across channels.

11.4 Drift (D)

Drift is the rate at which misalignment accumulates across repeated identity events when T, P, or C cannot keep pace with system pressures.

Candidate observables: growth rate of contested identity events, re-proofing frequency for previously stabilized subjects, dispute re-open rate, and increasing reliance on manual review for routine flows.

11.5 Affective Regulation (A)

Affective regulation is the system’s capacity to keep interpretation stable under stress. In digital identity, A shows up as user fatigue under repeated checks, verifier risk aversion during fraud spikes, helpdesk overload, and escalation behaviors under time pressure.

Candidate observables: abandonment rate during step-up, helpdesk queue volatility, denial spikes during fraud alerts, and variance in adjudication outcomes across similar cases.

12. Measurement candidates

12.1 IBEv-level measures

• Closure time per IBEv type (login, recovery, proofing, dispute)

• Step-up rate and step-up success rate by channel

• Override rate and manual exception rate

• Dispute re-open rate (closure stability proxy)

• Provenance completeness rate for media evidence in high-consequence flows

• Recovery event rate relative to baseline authentication events

12.2 Drift proxies

• Growth rate of contested identity events per cohort

• Re-proofing frequency for previously stabilized subjects

• Rate of mismatched attributes detected post-grant

• Repeat investigation rate for the same subject or account family

• Exception-path usage growth over time

12.3 AI pressure measures (where tracked)

• Rate of suspected synthetic media involvement in fraud reporting

• Morph-detection flag rate in photo-based workflows

• Voice-impersonation incident category frequency in human approval channels

• Dispute narratives invoking denial plausibility (“fake,” “cloned,” “generated”) frequency

12.4 Closure-quality measures (recommended additions)

• Closure stability rate: percentage of IBEv closures not re-opened within a declared window (for example 7, 30, or 90 days), stratified by IBEv type and channel

• Path divergence rate: percentage of subjects routed into recovery or exception paths relative to routine authentication, segmented by channel and cohort

12.5 Limits

No metric directly measures the full reference condition. The measurement target here is interpretive stability: binding confidence relative to declared thresholds, protocol routing coherence, closure stability, and drift patterns across time.

13. Method notes for field study execution

13.1 Data sources

• Identity proofing logs and vendor outputs

• Authentication logs, session risk scoring, and device-binding records

• Recovery artifacts and exception documentation

• Fraud and security incident tickets

• Dispute outcomes and adjudication notes

• Content provenance metadata where available

13.2 Ethics and harm constraints

Digital identity field study work interacts with privacy risk, discrimination risk, and power asymmetries. Any measurement program must declare boundary, retention, minimization, access control, and auditability.

Field study posture should treat false rejects and false accepts as jointly consequential outcomes whose costs distribute unevenly across populations and contexts.

14. Generalization beyond digital identity

Digital identity illustrates a broader class of meaning problems: mediated access interpretation where the subject cannot be directly verified and where closure depends on records, protocols, and dispute architecture. The IBEv approach is designed to transfer to other mediated trust domains (for example credentialing, provenance disputes, and delegated authority systems) while preserving domain-specific evidence thresholds and protocol families.

Institute Signature

Digital identity is a definitive case for Meaning System Science because the subject is consequential, yet not directly checkable inside the interaction. Identity decisions therefore rely on mediated signals, credibility assignment, authority routing, and closure records. This is the structural condition of access under constraint.

The IBEv model clarifies what identity systems actually do. They do not prove a person in general. They declare a bounded binding: that this set of artifacts and authenticators is sufficient to treat an actor as Subject S for a specific purpose, at a specific risk level, for a specific time window. Every recovery path, override, and dispute workflow is part of that identity system, because it can overturn or rebind the subject.

When proofing, authentication, recovery, and dispute handling apply coherent rules, identity stabilizes and closures hold. When they do not, the system produces repeat loops: step-up loops, recovery loops, contested disputes, and manual exceptions. Drift becomes visible as rising exception volume and falling closure stability.

The most damaging identity failures are not only fraud events. They are legitimate subjects the system cannot close back into a stable identity state.

Citation

Vallejo, J. (2025). Digital Identity Systems (IFS-3). Transformation Management Institute.

References

• NIST. Digital Identity Guidelines (SP 800-63, Revision 4). 2025.

• NIST. Reducing Risks Posed by Synthetic Content: An Overview of Technical Approaches to Digital Content Transparency (NIST AI 100-4). 2024.

• FinCEN. FinCEN Alert on Fraud Schemes Involving Deepfake Media Targeting Financial Institutions (FIN-2024-Alert004). Nov 13, 2024.

• Europol. EU Serious and Organised Crime Threat Assessment (EU-SOCTA) 2025: The Changing DNA of Serious and Organised Crime. 2025.

• FBI IC3. Criminals Use Generative Artificial Intelligence to Facilitate Fraud and Other Crimes. Dec 3, 2024.

• FBI IC3. Senior U.S. Officials Impersonated in Malicious Messaging and Voice Campaign. May 15, 2025.

• FBI IC3. Senior U.S. Officials Continue to be Impersonated in Malicious Messaging Campaign. Dec 19, 2025.

• NIST. Face Analysis Technology Evaluation (FATE) MORPH 4B: Considerations for Implementing Morph Detection in Operations (NISTIR 8584). 2025.

• ISO/IEC 30107-3. Biometric presentation attack detection: Part 3, Testing and reporting. Latest edition.

• OpenID Foundation. OpenID Connect Core 1.0.

• IETF. OAuth 2.1 Authorization Framework. Internet-Draft.

• W3C. Decentralized Identifiers (DIDs) v1.0. 2022.

• W3C. Verifiable Credentials Data Model v2.0. 2025.

• FIDO Alliance. Passkeys.

• C2PA. Content Credentials Specification.

• Chesney, R., and Citron, D. Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security. 2019.

• FTC. Materials on AI-enabled voice cloning and consumer protection.